Using markdown properly in a PHP application

Question

I work on a web application that uses Markdown as its syntax, the only issue I am facing is how to validate the user input on the server side so that it is actually Markdown and not some XSS attack that could be injected using a POST request or by disabling javascript.

I know StackOverflow does this but how do they do it and allow certain HTML tags including images that are prone to XSS attacks? Any open source package that can help (examples appreciated).

Becaue I heard that StackOverflow uses it, I will be trying out Pagedown as client side validator.

Answer 1

You need to invest ca. one to two weeks of proper coding and get some tagsoup parser / handler finsihed that can sanitze the incomming HTML (via Markdown).

I highly suggest a three pass validation and processing scheme:

1. Mix-Mode: Whitelist incomming HTML tags that are part of the Markdown document.
2. Markdown Parser: Transform Markdown into HMTL
3. HTML-Mode: Whitelist HTML tags that are the HTML document.

You can then output. Store both, the Markdown source and the "backed" HTML data so you don't need to do this for every display operation.